“I am trying to scare you, and I hope it is working.”
People laughed, then nodded in recognition at the idea presented by one speaker Friday morning at a Cybersecurity conference presented by the North Bay Business Journal and co-hosted by Exchange Bank.
Lou Archbold, senior consultant for the Verizon Threat Research Advisory Center, said cybercrime continues to require constant diligence and investment or business will pay a price, one which can be paid to the hackers who will find ways to compromise computer systems.
“Someone out there has my social security number and date of birth, and I guarantee you someone has yours,” said Archbold, who joined several speakers, including an FBI cybercrime expert, a partner in a firm which “stress tests” company security systems and a network engineer for a Santa Rosa IT firm, at the Santa Rosa event.
Archbold’s team responds to hacks and other attacks on business. His advice was be vigilant and have policies in place or pay a price.
“For example, are you tracking what people print? If someone prints a list of customers or a price list and walks out your door, is there a trail, a log showing what has been printed and by whom?”
Archbold said there’s a data challenge almost everywhere.
“There’s the large insurance company in which a hacker paid a cleaning crew member to plug a thumb drive in and download from the CEO’s computer. We came in and swept the CEO’s computer, then found downloads from other executives as well.”
Even seeming courtesy can be problematic. It might be easy enough for someone to copy an employee badge with an access code and get into a facility, but sometimes it is an even easier to follow someone into the building.
Archbold said he tried that and got in the door of a client’s company. “I found the second floor training room with computers, and on the white board was user name and password information. I got on to the computer and downloaded material and passed it on to the CEO,” he said. “I enjoyed that one.”
Employees, like those who open emails containing malware which can then allow hackers access to a company’s computer data, are a problem as well.
For example, someone might secure the logo of a vendor. A company receives an official looking email advising the company has changed banks, asking the company to begin sending payments to new bank routing number, siphoning off money until the fraud is discovered.
“Train your employees,” he said. “Do a phishing campaign on your own people and see who clicks and opens those emails.”
Get those people into training, he added. “And if an employee gets one of those emails and reports it, give them a reward, like a gas card. Word will get around.”
David Trepp, a partner in IT Assurance, BPM, who is involved in testing for hacking vulnerabilities, said the costs of not addressing security is more than just paying someone to fix it. There’s the cost of legal problems related to data breaches.
As an example, on TTE, Uber is paying $148 million to settle claims over the ride-hailing company’s cover-up of a data breach in 2016, when hackers stole personal information of some 25 million customers and drivers in the U.S.